Skip to content

fix: add hostports #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dfry wants to merge 17 commits into
base: main
Choose a base branch
from
Open

fix: add hostports #119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
d0eb58d
fix: add hostports
dfry Feb 19, 2026
ed03b28
fix: make label string
dfry Feb 19, 2026
c43b068
fix: update rules formattng
dfry Feb 19, 2026
2fcae34
fix: dependencies
dfry Feb 19, 2026
8daa414
fix: create hostport objects in operator install
dfry Feb 20, 2026
7923859
fix: treat _hostport_claims as a list in add
dfry Feb 20, 2026
1f730cc
fix: add metadata
dfry Feb 20, 2026
e9299ed
fix: list type
dfry Feb 20, 2026
0535ecb
fix: fix for provider
dfry Feb 20, 2026
fa6131f
fix: router peer in opboot
dfry Feb 20, 2026
1a1479c
fix: rm health check
dfry Feb 20, 2026
9581138
fix: use patchesJson6902
dfry Feb 20, 2026
b2d5d7d
fix: kcl struct
dfry Feb 20, 2026
41da391
fix: use json encode
dfry Feb 20, 2026
4351c49
fix: use json direct
dfry Feb 20, 2026
a060e91
fix: add priv true
dfry Feb 20, 2026
f8abaf4
fix: fix env vars
dfry Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
167 changes: 139 additions & 28 deletions packages/nb-config/compositions/nboperatorbootstrap/resources/kcl-step.k
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ readyBasedOnConditions = lambda o: any -> bool {
# Simply check if all conditions are True
len(conditions) > 0 and all_true([c.status == "True" for c in conditions])
}
# Define router indices
_router_indices = [1, 2, 3]

_zitadel_project_id_secret = {
apiVersion = "kubernetes.crossplane.io/v1alpha2"
Expand Down Expand Up @@ -213,6 +215,9 @@ if parameters.accessToken.destinationType == "sc":
kind = "Namespace"
metadata = {
name = parameters.operatorNamespace
labels = {
"hostport.rmb938.com": "true"
}
}
}
}
Expand Down Expand Up @@ -258,7 +263,7 @@ if parameters.accessToken.destinationType == "sc":
metadata = {
name = "{}-sc-nb-operator-kyverno-policy-install".format(oxr.metadata.name)
annotations = {
"krm.kcl.dev/composition-resource-name": "sc-nb-operator-policy-kyverno-install"
"krm.kcl.dev/composition-resource-name" = "sc-nb-operator-policy-kyverno-install"
}
}
spec = {
Expand All @@ -268,10 +273,9 @@ if parameters.accessToken.destinationType == "sc":
kind = "ClusterPolicy"
metadata = {
name = "nbrouter-add-security-context"
namespace = parameters.operatorNamespace
annotations = {
"policies.kyverno.io/title": "Add security context to nbrouter deployment"
"policies.kyverno.io/description": "This policy updates pod security context of nbrouter deployment"
"policies.kyverno.io/title" = "Add security context to nbrouter deployment"
"policies.kyverno.io/description" = "This policy updates pod security context of nbrouter deployment"
}
}
spec = {
Expand All @@ -282,39 +286,40 @@ if parameters.accessToken.destinationType == "sc":
"any" = [
{
resources = {
kinds = [
"Pod"
]
namespaces = [
parameters.operatorNamespace
]
kinds = ["Pod"]
namespaces = [parameters.operatorNamespace]
selector = {
matchLabels = {
"app.kubernetes.io/name": "netbird-router"
"app.kubernetes.io/name" = "netbird-router"
}
}
}
}
]
}
mutate = {
patchStrategicMerge = {
spec = {
securityContext = {
sysctls = [
{
name = "net.ipv4.ip_forward"
value = "1"
}
]
}
context = [
{
name = "hostportclaim"
apiCall = {
urlPath = "/apis/hostport.rmb938.com/v1alpha1/namespaces/{{ request.namespace }}/hostportclaims/netbird-{{ request.object.metadata.ownerReferences[0].name | split(@, '-') | [0:-1] | join('-', @) }}"
jmesPath = "spec.hostPortName"
}
}
{
name = "hostport"
apiCall = {
urlPath = "/apis/hostport.rmb938.com/v1alpha1/hostports/{{ hostportclaim }}"
jmesPath = "status.port"
}
}
]
mutate = {
patchesJson6902 = "- op: add\n path: \"/spec/containers/0/ports\"\n value: \n - name: router\n containerPort: {{ hostport }}\n hostPort: {{ hostport }}\n protocol: UDP\n- op: add\n path: \"/spec/containers/0/env/-\"\n value: {\"name\": \"NB_EXTERNAL_IP_MAP\", \"valueFrom\": {\"fieldRef\": {\"fieldPath\": \"status.hostIP\"}}}\n- op: add\n path: \"/spec/containers/0/env/-\"\n value: {\"name\": \"NB_WIREGUARD_PORT\", \"value\": \"{{ hostport }}\"}\n- op: add\n path: \"/spec/containers/0/securityContext\"\n value: {\"privileged\": true}\n- op: add\n path: \"/spec/securityContext\"\n value: {\"sysctls\": [{\"name\": \"net.ipv4.ip_forward\", \"value\": \"1\"}]}"
}
preconditions = {
"any" = [
"all" = [
{
key = "{{request.operation}}"
key = "{{ request.operation }}"
operator = "In"
value = ["CREATE", "UPDATE"]
}
Expand Down Expand Up @@ -424,6 +429,108 @@ if parameters.accessToken.destinationType == "sc":
}
}
}

_nb_router_peers = [{
apiVersion = "kubernetes.crossplane.io/v1alpha2"
kind = "Object"
metadata = {
name = "nb-router-peer-{}".format(i)
annotations = {
"krm.kcl.dev/composition-resource-name": "nb-router-peer-{}".format(i)
}
}
spec = {
forProvider = {
manifest = {
apiVersion = "netbird.io/v1"
kind = "NBRoutingPeer"
metadata = {
name = "router-{}".format(i)
namespace = parameters.operatorNamespace
finalizers = ["netbird.io/cleanup"]
labels = {
"app.kubernetes.io/component": "operator"
"app.kubernetes.io/instance": "netbird-operator"
"app.kubernetes.io/name": "kubernetes-operator"
}
}
spec = {
replicas = 1
}
}
}
managementPolicies = spec?.managementPolicies
providerConfigRef = {
name = spec?.providerConfigsRef?.scK8sProviderName
}
}
} for i in _router_indices]

# Create HostPortClaim resources for each router

_hostport_claims = [{
apiVersion = "kubernetes.crossplane.io/v1alpha2"
kind = "Object"
metadata = {
name = "sc-hostport-claim-{}".format(i)
annotations = {
"krm.kcl.dev/composition-resource-name": "sc-hostport-claim-{}".format(i)
}
}
spec = {
forProvider = {
manifest = {
apiVersion = "hostport.rmb938.com/v1alpha1"
kind = "HostPortClaim"
metadata = {
name = "netbird-router-{}".format(i)
namespace = parameters.operatorNamespace
}
spec = {
hostPortClassName = "netbird-hostports"
}
}
}
managementPolicies = spec?.managementPolicies
providerConfigRef = {
name = spec?.providerConfigsRef?.scK8sProviderName
}
}
} for i in _router_indices]

_hostport_class = {
apiVersion = "kubernetes.crossplane.io/v1alpha2"
kind = "Object"
metadata = {
name = "{}-sc-hostport-class".format(oxr.metadata.name)
annotations = {
"krm.kcl.dev/composition-resource-name": "sc-hostport-class"
}
}
spec = {
forProvider = {
manifest = {
apiVersion = "hostport.rmb938.com/v1alpha1"
kind = "HostPortClass"
metadata = {
name = "netbird-hostports"
}
spec = {
pools = [
{
start = 51820
end = 51830
}
]
}
}
}
managementPolicies = spec?.managementPolicies
providerConfigRef = {
name = spec?.providerConfigsRef?.scK8sProviderName
}
}
}
# elif parameters.accessToken.destinationType == "tenantVault":
# # TODO: Implement tenant vault stuff
_internal_network_policy = {
Expand Down Expand Up @@ -474,13 +581,17 @@ _items += [

if readyBasedOnConditions(ocds["zitadel-project-id-secret"]):
_items += [
_external_access_group
_network_resource_group
_service_user
_external_access_group,
_network_resource_group,
_service_user,
_access_token
]
if parameters.accessToken.destinationType == "sc":
_items += [_sc_netbird_namespace, _sc_access_token_secret_copy, _sc_nb_operator_kyverno_policy, _sc_nb_op_secret_update_kyverno_policy]
_items += [_sc_netbird_namespace, _sc_access_token_secret_copy, _sc_nb_operator_kyverno_policy, _sc_nb_op_secret_update_kyverno_policy, _hostport_class]
_items += _hostport_claims
_items += _nb_router_peers


if parameters.accessToken.destinationType == "tenantVault":
_items += [_push_secret_access_token]

Expand Down
63 changes: 9 additions & 54 deletions packages/nb-config/compositions/operator-post-config/resources/kcl-step.k
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
oxr = option("params").oxr
ocds = option("params").ocds

spec = oxr.spec
parameters = spec.parameters
oxr_spec = oxr.spec
parameters = oxr_spec.parameters
# Initialize the items list
_items = []

Expand All @@ -14,48 +14,9 @@ readyBasedOnConditions = lambda o: any -> bool {
len(conditions) > 0 and all_true([c.status == "True" for c in conditions])
}

# _network_resource_group = {
# apiVersion = "vpn.netbird.crossplane.io/v1alpha1"
# kind = "NbGroup"
# metadata = {
# name = "{}-network-resource-group".format(oxr.metadata.name)
# annotations = {
# "krm.kcl.dev/composition-resource-name": "network-resource-group"
# "crossplane.io/external-name": parameters.groupNames.networkResourceGroup
# }
# }
# spec = {
# forProvider = {
# name = parameters.groupNames.networkResourceGroup
# }
# providerConfigRef = {
# name = spec?.providerConfigsRef?.netbirdProviderConfigName
# }
# managementPolicies = spec?.managementPolicies
# }
# }


# _nb_network = {
# apiVersion = "vpn.netbird.crossplane.io/v1alpha1"
# kind = "NbNetwork"
# metadata = {
# name = "{}-nb-network".format(oxr.metadata.name)
# annotations = {
# "krm.kcl.dev/composition-resource-name": "nb-network"
# "crossplane.io/external-name": parameters.networkResource.networkName
# }
# }
# spec = {
# forProvider = {
# name = parameters.networkResource.networkName
# }
# providerConfigRef = {
# name = spec?.providerConfigsRef?.netbirdProviderConfigName
# }
# managementPolicies = ["Observe"]
# }
# }
# Get provider config references from the XR spec
_netbird_provider_config = oxr_spec?.providerConfigsRef?.netbirdProviderConfigName
_management_policies = oxr_spec?.managementPolicies

_nb_network_resource = {
apiVersion = "vpn.netbird.crossplane.io/v1alpha1"
Expand All @@ -80,22 +41,16 @@ _nb_network_resource = {
network_name: parameters.networkResource.networkName
}
providerConfigRef = {
name = spec?.providerConfigsRef?.netbirdProviderConfigName
name = _netbird_provider_config
}
managementPolicies = spec?.managementPolicies
managementPolicies = _management_policies
}
}



# Add the resources to the items list
_items += [
_nb_network_resource
]

_items += [_nb_network_resource]

dxr = {
**oxr
}

items = _items + [dxr]
items = _items + [dxr]
2 changes: 1 addition & 1 deletion packages/sc-nboperatorinstall/compositions/nboperatorinstall/resources/kcl-step.k
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ _sc_argocd_operator_app_install = {
ingress = {
enabled = True
router = {
enabled = True
enabled = False
}
kubernetesAPI = {
enabled = False
Expand Down